Subaru recently fixed a major security flaw in its vehicles that could have allowed hackers to remotely unlock, start, and track them, among other things — reports WIRED.
The vulnerability had to do with the automaker’s suite of in-vehicle multimedia and connectivity features, called Starlink (not to be confused with the SpaceX-owned satellite internet service that provides high-speed broadband to over 400,000 Canadians). Subaru’s Starlink service is available in Canada, the U.S., and Japan, and all vehicles equipped with these digital features were at risk.
Security researcher Sam Curry discovered the flaw after challenging himself to and succeeding in hacking a 2023 Subaru Impreza he bought his mother. Working alongside fellow expert Shubham Shah, Curry found vulnerabilities in a Subaru web portal for employees that could be exploited to take over any Starlink-connected vehicle.
The admin portal could be gamed to hijack a Subaru employee’s account. As long as an attacker knew a Subaru owner’s last name and ZIP code, email address, phone number, or license plate, they could then remotely lock/unlock their car, sound its horn, start its ignition, and reassign these actions to any phone or computer of their choosing.
Curry explained on his blog that bad actors could exploit the vulnerability to do some pretty scary stuff, including:
- Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.
- Retrieve any vehicle’s complete location history from the past year, accurate to within 5 meters and updated each time the engine starts.
- Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information (e.g., last 4 digits of credit card, excluding full card number), and vehicle PIN.
- Access miscellaneous user data including support call history, previous owners, odometer reading, sales history, and more.
Curry reported the security flaws he uncovered to Subaru, and the carmaker patched them within 24 hours. The security researcher also confirmed that the vulnerability was fortunately never exploited maliciously.
A spokesperson for Subaru told WIRED that “after being notified by independent security researchers, [Subaru] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization.”
However, Curry pointed out that it is worrying how someone — even if they’re a Subaru employee — can so easily pull location data for a car going back up to a year and even access the owner’s personal information. “You can retrieve at least a year’s worth of location history for the car, where it’s pinged precisely, sometimes multiple times a day,” he said.
This potentially represents a lapse in customer privacy that would be far harder to patch than a security flaw. Subaru, however, insists that its customers’ data is secure and that employees with access to location and customer information are under strict obligations to maintain privacy.
“All these individuals receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed,” the company noted in its statement. “These systems have security monitoring solutions in place which are continually evolving to meet modern cyber threats.”
Subaru is far from the only manufacturer to struggle with security as the industry digitizes vehicles. For example, countless cars manufactured by Hyundai subsidiary Kia have been stolen in recent years following a viral TikTok challenge exploiting a known flaw that could be used to start them.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
